mirrors/discord.py
1
0
Fork 0
mirror of https://github.com/Rapptz/discord.py.git synced 2025-06-07 20:28:38 +00:00
Code Issues Projects Releases Wiki Activity

Sanitize invite argument before calling the invite info endpoint

Browse Source 
Fixes a potential path traversal bug that can lead you to superfluously
and erroneously call a separate endpoint.
This commit is contained in:
Rapptz 2024-11-23 21:48:45 -05:00
parent 7db879b5bd
commit 5c4c281f05
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
discord/utils.py
View File

@ -868,6 +868,12 @@ def resolve_invite(invite: Union[Invite, str]) -> ResolvedInvite:
invite: Union[:class:`~discord.Invite`, :class:`str`] invite: Union[:class:`~discord.Invite`, :class:`str`]
The invite. The invite.
Raises
-------
ValueError
The invite is not a valid Discord invite, e.g. is not a URL
or does not contain alphanumeric characters.
Returns Returns
-------- --------
:class:`.ResolvedInvite` :class:`.ResolvedInvite`
@ -887,6 +893,11 @@ def resolve_invite(invite: Union[Invite, str]) -> ResolvedInvite:
event_id = url.query.get('event') event_id = url.query.get('event')
return ResolvedInvite(code, int(event_id) if event_id else None) return ResolvedInvite(code, int(event_id) if event_id else None)
allowed_characters = r'[a-zA-Z0-9\-_]+'
if not re.fullmatch(allowed_characters, invite):
raise ValueError('Invite contains characters that are not allowed')
return ResolvedInvite(invite, None) return ResolvedInvite(invite, None)